Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Ceptor PortalProtect has support for WS-Security meaning it can be used to sign/encrypt outgoing SOAP messages, and it can verify signatures / decrypt incoming SOAP messages.

...

Code Block
package dk.itp.portalprotect.wss;
import java.util.Hashtable;
import java.util.Properties;

import dk.itp.portalprotect.wss.WSSAuthPluginSupport.Result;
import dk.itp.security.authentication.x509.AbstractX509CertificatePlugin;
import dk.itp.security.passticket.AuthTypes;
import dk.itp.security.passticket.PTException;
import dk.itp.security.passticket.User;
import dk.itp.security.passticket.server.AuthErrorCodes;

/**
 * SSL Cert plugin, which adds support for WSS
 * 
 * @author Kim Rasmussen
 * @version $Revision: 1.1 $
 * 
 * <pre>
 * PortalProtect - Security infrastructure
 * Copyrightoccurred 2007, Asseco
Denmark A/S, All rights reserved.
 * 
 * This source code is confidential.
 * </pre>
 */
public class WSSAuthenticationPlugin extends AbstractX509CertificatePlugin {
	WSSAuthPluginSupport wssauth;  
	public Object executeCommand(User user, String name, Object input)
			throws PTException {
		return wssauth.executeCommand(user, name, input);
	}
	public void setConfiguration(Properties props) {
		super.setConfiguration(props);
		
		wssauth = new WSSAuthPluginSupport(statistics, providers);
		wssauth.setConfiguration(props);
	}
	public String getStatusText(String action) {
		return super.getStatusText() + wssauth.getStatusText(this, action);
	}
	public String getName() {
		return "WebService Security";
	}
	public int getAuthenticationType() {
		return AuthTypes.AUTHTYPE_WSS;
	}
	public int getAuthenticationLevel() {
		return 3;
	}
	public void confirm(User user, String signtext, Object credentials) throws PTException {
		verifyCertificate(user, credentials.toString(), true, true, null, signtext);
	}
	public void login(User user, String userid, Object credentials) throws PTException {
		Result result = wssauth.logonValidateSignatureAndDecrypt(credentials.toString());
		try {
			if (user.stateVariables == null)
				user.stateVariables = new Hashtable();
			
			user.stateVariables.put("soap", result.xmlOutput);
			
			if (result.subject != null) {
				user.username = result.subject.getProperty("CN");
	
				// CPR might be in userid, but this plugin wants it in customerID
				user.customerID = user.userid;
				user.userid = result.subject.getSerialNumber();
				user.password = null;
				user.isLoggedOn = true;
				
				if (result.subject.getO() != null)
					user.stateVariables.put("subject_o", result.subject.getO());
				if (result.subject.getOu() != null)
					user.stateVariables.put("subject_ou", result.subject.getOu());
				user.stateVariables.put("subject_dn", result.subject.getOrderedSubjectDN());

				if (result.cvr != null)
					user.stateVariables.put("cvr", result.cvr);
				if (result.pid != null)
					user.stateVariables.put("pid", result.pid);
				if (result.rid != null)
					user.stateVariables.put("rid", result.rid);
				if (result.uid != null)
					user.stateVariables.put("uid", result.uid);
			} else {
				throw new PTException("No certificate or SOAP not signed", AuthErrorCodes.ERROR_USERNOTFOUND,
					"No certificate");				
			}
		} catch (Throwable t) {
			cat.warn("Problem authenticating", t);
			throw new PTException("unexpected error occurred while authenticating using X509 Certificate",
				(short) - 1, t.getMessage());
		}
	}
}

...

This is a list of the methods that can be use used for that…

Please refer to the javadoc for the most up-to-date list of methods and parameters.

...

Code Block
<property name="wss.ws.default.signrequest" value="testvoces" description=""/>
<property name="wss.ws.default.encryptrequest" value="TDC TOTALLØSNINGER A/S - TDC Test" description=""/>

Note that when calling the client handler, a session ID does normally need to be present for the thread in dk.itp.security.sessionctrl.PPSecurityContext otherwise the client handler will not perform any action at all. The server handler will use either the session ID from PPSecurityContext or if that is not available it will attempt to extract it from the http request – if none is found, it will create a new session itself and use that for the call. However, if the property wss.ws.xxxx.allowanonymouscalls is set to true then an anonymous PP session ID will be used instead, and the call will be performed anyway – this does make it impossible for the PP server to verify if the user is allowed to use the private key or not to sign the request so only use it if you believe it is ok to not have any security on that part.


Signing XML

When signing XML (not SOAP requests), one of the parameters to setWSDoSignXML/signXML is a string containing the signatureDestination. It is used to specify where in the resulting XML the signature should end up – it consists of a semicolon separated list of tags from the parent inwards to where the signature should be placed. The tagname can optionally be specified with the namespace in {} brackets before the tag name, and the namespace can optionally be named by adding the name: in front of the tag name.

e.g. it can be specified as: {http://some.namespace/url}parenttag;childtag;{http://some.other.namespace}other:signatureDestination

In the above example, the signature will be placed here:

<ns1:parenttag xmlns:ns1=http://some.namespace/url>

   <childtag>

      <other:signatureDestination xmlns:other=”http://some.other.namespace”>

         <xmldsig:signature xmlns:xmldsig=”….”>

            …

         </xmldsig:signature>

      </other:signatureDestination>

   </childtag>

</ns1:parenttag>

Xpath

...

Transformations

Some applications require Xpath transformations – this can be done with both the signXML and setWSDoSignXML methods.

...

Decryption just requires the xml and the alias of a private key loaded by portalprotect server, and it can then decrypt the xml message.


Publicclass WSSAgent {

    

     /**

      *SignandEncryptaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlXMLSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.

      *@returnSignedandencryptedSOAP.

      *@throwsPTException

      */

    publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient) throws PTException;

   

     /**

      *SignandEncryptaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlXMLSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.

      *@parampartsDefinitionDefineswhichpartstosigne.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”

      *@returnSignedandencryptedSOAP.

      *@throwsPTException

      */

    publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient, String partsDefinition) throws PTException;

 

     /**

      *SignaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@returnSignedSOAP.

      *@throwsPTException

      */

    publicstatic String signSOAP(String sessionID, String xml, String signer) throws PTException;

 

     /**

      *SignaSOAPmessage

      *@paramsessionIDSessionIDofuserdoingthesigning

      *@paramxmlSOAPrequestorresponsetosignandencrypt

      *@paramsignerIDofsignermustbealiasofkeyregisteredatPPserver

      *@parampartsDefinitionDefineswhichpartstosigne.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”

      *@returnSignedSOAP.

      *@throwsPTException

      */

    publicstatic String signSOAP(String sessionID, String xml, String signer,String partsDefinition) throws PTException;

   

    /**

     *Validatesanddecryptsanlusteredsignedand/orencryptedSOAPmessage

     *@paramsessionIDSessionIDofuserdoingthevalidation

     *@paramxmlSOAPtodecrypt/checksignaturefor.

     *@returnDecryptedSOAPmessage

     *@throwsPTException

     */

    publicstatic String validateSignatureAndDecryptSOAP(String sessionID, String xml) throws PTException;

   

    /**

     *LogonwithasignedXMLmessagethecertificatewhichsignedthemessagewillbeusedforloggingin.

     *@paramsessionIDSessiontologinto

     *@paramxmlSOAPtodecrypt/checksignaturefor.

     *@returnDecryptedSOAPmessage

     *@throwsPTException

     */

    publicstatic String logonWithSOAP(String sessionID, String xml) throws PTException;

 

    /**

     *SignsaparticularpieceofXML(notSOAP)usingXMLDSIG

     *@paramsessionIDSessionIDtouseforsigning

     *@paramxmlXMLtosign

     *@paramsignerIDofsignermustmatchaliasornameofcertificateconfiguredonPPserver

     *@paramreferenceIDsListofreferencestosign

     *@paramsignatureDestinationPlacetoputthesignatureintheXMLlistoftokenslusteredby/

     *@returnSignedXML

     *@throwsPTException

     */

     publicstatic String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination) throws PTException;

   

     /**

      *ValidatesanXMLDSIGsigneddocument.

      *

      *@paramsessionIDSessionIDtouseforvalidating

      *@paramxmlSignedXML

      *@returnList of certificates which signed this XML

      *@throwsPTException

      */

     publicstatic X509Certificate[] validateXMLSignature(String sessionID, String xml) throws PTException;